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(b) All the claims are believed to be directed to a single invention. If the 
Office determines that all the claims presented are not obviously directed to a single 
invention, then Applicants will make an election without traverse as a prerequisite to the 
grant of special status. 

(c) Pre-examination searches were made of U.S. issued patents, including 
a classification search and a computer database search. The searches were performed on or 
around September 9, 2004, and were conducted by a professional search firm, Kramer & 
Amado, P.C. The classification search covered Class 711 (subclasses 151, 161, and 163) and 
Class 713 (subclasses 193 and 202) for the U.S. and foreign subclasses identified above. The 
computer database search was conducted on the USPTO systems EAST and WEST. The 
inventors further provided two references considered most closely related to the subject 
matter of the present application (see references #5-6 below), which were cited in the 
Information Disclosure Statements filed on March 1, 2004. 

(d) The following references, copies of which are attached herewith, are 
deemed most closely related to the subject matter encompassed by the claims: 



(1) 


U.S. Patent No. 4,413,328; 


(2) 


U.S. Patent No. 4,947,318; 


(3) 


U.S. Patent No. 6,728,844 B2; 


(4) 


U.S. Patent No. 6,779,083 B2; 


(5) 


European Patent Publication No. EP 1,1 17,028 A2; and 


(6) 


Japanese Patent Publication No. JP 2001-265655. 



(e) Set forth below is a detailed discussion of references which points out 
with particularity how the claimed subject matter is distinguishable over the references. 
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A. Claimed Embodiments of the Present Invention 

The claimed embodiments relate to communication between a host computer 
and a storage subsystem and, more particularly, to a filtering technology and a 
communication cut off technology in communication at the time of an access from the host 
computer to a logical unit in the storage subsystem. 

Independent claim 1 recites a storage subsystem which is connected to a host 
computer through a communication line. The storage subsystem comprises an interface 
which is used for connecting to the communication line, wherein the interface comprises a 
first filter which judges, on the occasion of having received commimication packets from the 
communication line, whether there is a communication packet with a predetermined format 
for use in an access to the storage subsystem, among the commimication packets. The 
interface further comprises a traffic measuring and judging unit which measures traffic of all 
communication packets received in the interface, and traffic of a communication packet 
judged not to be the packet with the format in the first filter, respectively, and by using the 
both traffics, judges whether a communication failure is generated or not, and a 
communication failure alerting unit which alerts a management server connected to the 
storage subsystem and comprises a function of displaying information alerted, in case that it 
is judged that a commimication failiwe is generated in the traffic measuring and judging unit. 

Independent claim 9 recites a computer readable storage medium including a 
program for a computer mounted on a storage subsystem connected to a host computer 
through a communication line. The program comprises code for connecting to the 
communication line; code forjudging, on the occasion of having received communication 
packets from the communication line through connecting to the communication line, whether 
there is a communication packet with a predetermined format for use in an access to the 
storage subsystem, among the communication packets; code for receiving the commimication 
packet judged to be for the access in the judging, and judges whether it is a communication 
packet permitted to access to a storage area in the storage subsystem and transmitted from the 
host computer or not; code for measuring traffic of all communication packets received in 
connecting to the communication line, and traffic of a communication packet judged not to be 
the packet with the format in the first filter, respectively, and by using the both traffics, 
judging whether a communication failure is generated or not; and code for alerting a 
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management server connected to the storage subsystem and displaying information alerted, in 
case that it is judged that a communication failure is generated in measuring the traffic of all 
communications packets received in connecting to the communication line. 

Independent claim 12 recites a computer readable storage medium including a 
program for a computer mounted on a management server which is connected to a storage 
subsystem. The program comprises code for referring to the traffic log, in case that it is 
alerted from a conmumication failure alerting unit of the storage subsystem that a 
communication failure is generated, and searching a source of the commimication packet 
vs^hich causes the conmumication failure. 

Independent claim 13 recites a computer readable storage medium including a 
program for a computer mounted on a management server which is connected to a storage 
subsystem. The program comprises code for referring to the traffic log, in case that it was 
alerted from a communication failure alerting unit of the storage subsystem that a 
communication failure is generated, and searching a source of the communication packet 
which causes the communication failure, and code for controlling, based on information of a 
source searched in the searching, a relay device which relays communication to the storage 
subsystem disposed on the communication line for receiving a communication packet so as to 
cut off communication from the source. 

Independent claim 15 recites a storage system in which a storage subsystem, a 
host computer, and a management server are connected by a communication line. The 
storage subsystem comprises an interface which connects to the communication line. The 
interface comprises, a first filter which judges, on the occasion of having received 
communication packets from the communication line, whether there is a communication 
packet with a predetermined format for use in an access to the storage subsystem, among the 
communication packets, a second filter which receives the communication packet judged to 
be for the access in the first filter, and judges whether it is a communication packet permitted 
to access to a storage area in the storage subsystem and transmitted from the host computer or 
not, a traffic measuring and judging imit which measures traffic of all communication packets 
received in the interface, and traffic of a commimication packet judged not to be the packet 
with the format, respectively, and by using the both traffics, judges whether a communication 
failure is generated or not, a communication failure alerting omit which alerts the management 
server, in case that it is judged that a communication failure is generated in the traffic 
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measuring and judging unit, and a traffic log recording unit which records, as a traffic log, 
communication information of a communication packet judged not to be the communication 
packet with the format in the first filter and a communication packet judged not to be the 
communication packet transmitted fi:om the host computer permitted to access in the second 
filter. The management server comprises a display device which displays the alert received 
fi'om the communication failure alerting imit, an improper communication source analyzing 
imit which refers to the traffic log, in case that it is alerted firom a commimication failure 
alerting unit of the storage subsystem that a communication failure is generated, and searches 
a source of the communication packet which causes the communication failure, and a relay 
device control unit which controls, based on information of a source searched in the improper 
conmumication source analyzing unit, a relay device which relays communication to the 
storage subsystem disposed on the communication line so as to cut off communication fi-om 
the source. 

Independent claim 19 recites a communication control method in a storage 
system in which a storage subsystem, a host computer, and a management server are 
connected by a commimication line. The method comprises judging, when communication 
packets firom the commimication line were received in the storage subsystem, whether there 
is a communication packet with a predetermined format for use in an access to the storage 
subsystem, among the communication packets, measuring traffic of all conmiunication 
packets received by the storage subsystem, and traffic of a communication packet judged not 
to be the packet with the predetermined format, respectively, and recording a traffic log of a 
communication packet judged not to be the communication packet with the format, judging, 
by using the measured both traffics, whether a commimication failure is generated or not, and 
alerting the management server, in case that it is judged that a communication failure is 
generated, referring to the traffic log, in case that the alert that the communication failure is 
generated is received in the management server fi-om the storage subsystem, and searching 
information of a source of the communication packet which causes the communication 
failure, and controlling, based on information of the searched source, a relay device which 
relays communication to the storage subsystem disposed on the communication line so as to 
cut off communication fi-om the source. 
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Independent claim 20 recites a storage system having a storage subsystem 
connected to a host computer through a communication Hne, and a management server 
connected to the storage subsystem. The storage subsystem comprises an interface which 
connects to the communication hne and a maintenance terminal which maintains the storage 
subsystem. The interface comprises a first filter which judges, on the occasion of having 
received communication packets fi-om the communication line, whether there is a 
communication packet with a predetermined format for use in an access to the storage 
subsystem, among the communication packets, a second filter which receives the 
communication packet judged to be for the access in the first filter, and judges whether it is a 
communication packet permitted to access to a storage area in the storage subsystem and 
transmitted fi-om the host computer or not, a traffic measuring and judging imit which 
measures traffic of all communication packets received in the interface, and traffic of a 
communication packet judged not to be the communication packet permitted to access in the 
second filter, respectively, and calculates a value of a ratio of the both traffics 
(communication ratio), and by using the both traffics, judges whether a commimication 
failure is generated or not, and a communication failure alerting xmit which alerts the 
maintenance terminal, in case that it is judged that a communication failure is generated in 
the traffic measuring and judging unit, of that failure is generated and the communication 
ratio. The maintenance terminal comprises a warning message reporting unit which 
generates, in case that the alert of that a communication failure is generated and the 
communication ratio is received from the communication information and failure alerting 
xmit, a warning message in accordance with the alert, and outputs it to the management 
server. The management server comprises an output device, a failure information displaying 
unit which comprises the output device displayed the warning message and the 
communication ratio received from the warning message reporting unit, and a QoS condition 
designating unit which judges whether the communication ratio is within a predetermined 
permissible zone, and in case that it is judged to be outside the permissible zone, adjusts a 
network QoS of a relay device which relays communication to the storage subsystem 
disposed on the communication line. 

One of the benefits that may be derived is that it is possible to heighten 
security in a storage subsystem connected to a communication line, and to secure a network 
QoS to a storage subsystem. 
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B. Discussion of the References 

1. U.S. Patent No. 4,413328 

This reference relates to a storage subsystem that employs removable media 
with a display at each recorder, and controls the display in such a manner as to enhance 
subsystem operation by reducing operator error and increase data and subsystem security. 
See column 1, lines 60-65. 

The reference does not teach measvuing traffic of all communication packets 
received in connecting to the communication line, and traffic of a communication packet 
judged not to be the packet with the format in the first filter, respectively, and by using the 
both traffics, judging whether a communication failure is generated or not; and alerting a 
management server connected to the storage subsystem and displaying information alerted, in 
case that it is judged that a communication failure is generated in measuring the traffic of all 
commimications packets received in connecting to the commimication line, as recited in 
independent claims 1,9, 15, 19, and 20. Nor does it disclose referring to the traffic log, in 
case that it is alerted firom a communication failure alerting unit of the storage subsystem that 
a communication failure is generated, and searching a source of the communication packet 
which causes the communication failure, as recited in independent claim 12. The reference 
also fails to teach referring to the traffic log, in case that it was alerted from a communication 
failure alerting imit of the storage subsystem that a communication failure is generated, and 
searching a source of the communication packet which causes the communication failure; and 
controlling, based on information of a source searched in the searching, a relay device which 
relays communication to the storage subsystem disposed on the communication line for 
receiving a communication packet so as to cut off commimication from the source, as recited 
in independent claim 13. 

2. U.S. Patent No. 4,947,318 

This reference discloses that when the storage volume is loaded into a storage 
xmit, the data protection information stored in the storage volume is automatically read out of 
the storage volimie and stored in a memory of the storage xmit by the internal control unit of 
the storage unit, and the data protection information stored in the memory is correlated with 
an access request for data in the storage volume to check the validity of the data access so 
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that the specified data in the storage volume is protected from an invalid or imjust access 
without the aid of host computer or operation by the operator. 

The reference does not teach measuring traffic of all communication packets 
received in connecting to the communication line, and traffic of a communication packet 
judged not to be the packet with the format in the first filter, respectively, and by using the 
both traffics, judging whether a commimication failure is generated or not; and alerting a 
management server connected to the storage subsystem and displaying information alerted, in 
case that it is judged that a communication failure is generated in measuring the traffic of all 
communications packets received in connecting to the communication line, as recited in 
independent claims 1,9, 15, 19, and 20. Nor does it disclose referring to the traffic log, in 
case that it is alerted from a communication failure alerting unit of the storage subsystem that 
a communication failure is generated, and searching a source of the communication packet 
which causes the communication failure, as recited in independent claim 12. The reference 
also fails to teach referring to the traffic log, in case that it was alerted from a commimication 
failure alerting xmit of the storage subsystem that a communication failure is generated, and 
searching a source of the commimication packet which causes the communication failure; and 
controlling, based on information of a source searched in the searching, a relay device which 
relays communication to the storage subsystem disposed on the commimication line for 
receiving a communication packet so as to cut off communication from the source, as recited 
in independent claim 13. 

3. U.S. Patent No. 6.728>844 B2 

This reference discloses a standardized fiber channel as an interface between 
one or more host computers and a storage control device. It also includes host computers and 
a storage control device plus more than one storage device operable under control of the 
storage control device, wherein the fiber channel connection storage control device has a 
security fimction in the environment capable of physically receiving any access from the host 
computers, and eliminating or deterring unauthorized access attempts from the host 
computers to the storage control device, which did not have any means for rejecting 
unauthorized access from host computers. See column 2, lines 10 —20. 
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The reference does not teach measuring traffic of all communication packets 
received in connecting to the communication line, and traffic of a communication packet 
judged not to be the packet with the format in the first filter, respectively, and by using the 
both traffics, judging whether a communication failure is generated or not; and alerting a 
management server connected to the storage subsystem and displaying information alerted, in 
case that it is judged that a communication failure is generated in measuring the traffic of all 
commimications packets received in connecting to the commimication line, as recited in 
independent claims 1, 9, 15, 19, and 20. Nor does it disclose referring to the traffic log, in 
case that it is alerted firom a communication failure alerting unit of the storage subsystem that 
a commimication failure is generated, and searching a source of the communication packet 
which causes the communication failure, as recited in independent claim 12. The reference 
also fails to teach referring to the traffic log, in case that it was alerted from a communication 
failure alerting unit of the storage subsystem that a communication failure is generated, and 
searching a source of the communication packet which causes the communication failure; and 
controlling, based on information of a source searched in the searching, a relay device which 
relays commimication to the storage subsystem disposed on the communication line for 
receiving a communication packet so as to cut off communication firom the source, as recited 
in independent claim 13. 

4. U.S. Patent No. 6,779,083 B2 

This reference discloses that in this storage subsystem, a user can make setting 
of accessible LUN and setting on a connection interface in an arbitrary group unit of 
computers imder a single port without changing existing processing, limitation and other 
functions of the computers. Therefore, this storage subsystem can accomplish an access 
control function, that is, a LUN security function, for computer groups having a plurality of 
kinds of OS under a single port. 

The reference does not teach measuring traffic of all conmaunication packets 
received in connecting to the communication line, and traffic of a communication packet 
judged not to be the packet with the format in the first filter, respectively, and by using the 
both traffics, judging whether a communication failure is generated or not; and alerting a 
management server cormected to the storage subsystem and displaying information alerted, in 
case that it is judged that a commimication failure is generated in measuring the traffic of all 
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communications packets received in connecting to the communication line, as recited in 
independent claims 1,9, 15, 19, and 20, Nor does it disclose referring to the traffic log, in 
case that it is alerted fi-om a commimication failure alerting imit of the storage subsystem that 
a communication failiure is generated, and searching a source of the commimication packet 
which causes the communication failure, as recited in independent claim 12. The reference 
also fails to teach referring to the traffic log, in case that it was alerted fi'om a commimication 
failure alerting unit of the storage subsystem that a communication failure is generated, and 
searching a source of the communication packet which causes the communication failure; and 
controlling, based on information of a source searched in the searching, a relay device which 
relays commimication to the storage subsystem disposed on the communication line for 
receiving a communication packet so as to cut off communication firom the source, as recited 
in independent claim 13. 

5. European Patent Publication No. EP 1,1 17,028 A2 

This reference relates to techniques for performing security functions in 
computer storage subsystems in order to prevent illegal access by the host computers 
according to logical unit (LU) identity. Management tables can be used to disclose the 
Logical Unit in the storage subsystem to the host computers in accordance with the user's 
operational needs. In a specific embodiment, accessibility to a storage subsystem resource 
can be decided when an Inquiry Command is received, providing systems and apparatus 
wherein there is no fiirther need to repeatedly determine accessibility for subsequent accesses 
to the Logical Unit. 

The reference does not teach measuring traffic of all communication packets 
received in connecting to the communication line, and traffic of a communication packet 
judged not to be the packet with the format in the first filter, respectively, and by using the 
both traffics, judging whether a communication failure is generated or not; and alerting a 
management server connected to the storage subsystem and displaying information alerted, in 
case that it is judged that a communication failure is generated in measuring the traffic of all 
communications packets received in connecting to the communication line, as recited in 
independent claims 1,9, 15, 19, and 20. Nor does it disclose referring to the traffic log, in 
case that it is alerted firom a communication failure alerting unit of the storage subsystem that 
a communication failure is generated, and searching a source of the communication packet 
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which causes the communication failure, as recited in independent claim 12. The reference 
also fails to teach referring to the traffic log, in case that it was alerted from a commimication 
failure alerting unit of the storage subsystem that a communication failure is generated, and 
searching a source of the communication packet which causes the communication failure; and 
controlling, based on information of a source searched in the searching, a relay device which 
relays communication to the storage subsystem disposed on the commvinication line for 
receiving a communication packet so as to cut off communication from the source, as recited 
in independent claim 13. 

6. Japanese Patent Publication No. JP 2001-265655 

This reference discloses a technique to provide a security function in a storage 
subsystem using the flexible and efficient presentation method of storage resources by 
performing execution with high-speed judgment logic without affecting a processing on the 
side of a host computer. An information WWN for uniquely identifying the host computer, a 
management table where the correspondence of a logical unit number LUN inside the storage 
subsystem for which access is permitted to the host computer and a virtual LUN for 
presenting the LUN to be the access object to the host computer by a user optional method is 
described and the management table where the correspondence of the WWN and a 
dynamically allocated management number S-ID is described are stored in a nonvolatile 
memory inside the storage subsystem beforehand. 

As discussed in the present application at page 1, line 22 to page 3, line 5, the 
storage system as disclosed in the reference comprises, on a nonvolatile memory in a storage 
subsystem, in addition to a LUN access management table which manages a WWN (World 
Wide Name) as information which xmiquely identifies a host computer, a LUN (logical Unit 
Number) as a number of a logical imit in a storage subsystem which permitted an access from 
the host computer, and a virtual LUN as a nimiber of a virtual LU that a user or an operating 
system on the host computer arbitrarily assigned in parallel with the LUN, by associating 
them one another. In such commimication that the host computer accesses to the storage 
subsystem, the storage system further comprises a WWN-S-ID management table which 
manages a S-ID (Source ID) as a management number which is dynamically assigned at the 
time of log-in and which is always constant during the host computer is in operation, and the 
WWN of the host computer, by associating them each other. 



Page 11 of 13 



Appl. No. 10/791,452 PATENT 
Petition to Make Special 

In the storage system, with reference to these two management tables, right 
and wrong of an access to a logical unit is judged at the time point of generation of an inquiry 
command at the time of log-in. After that, there is no necessity to repeat this judgment. On 
this account, it is possible to limit right and wrong of an access with each of a logical unit, 
over maintaining and operating a storage subsystem with high performance, which realizes 
strong security. In this regard, however, the storage system disclosed in the reference is a 
system which was built up by a dedicated network, such as a SAN (Storage Area Network) in 
which a host computer and a storage subsystem are connected to be networked by using a 
dedicated interface called as Fiber Channel (FC). Therefore, it is a premise that only a SCSI 
command, which is a command set for an access from a host computer to a storage 
subsystem, is transmitted to a storage subsystem. 

The reference does not teach measuring traffic of all communication packets 
received in coimecting to the communication line, and traffic of a communication packet 
judged not to be the packet with the format in the first filter, respectively, and by using the 
both traffics, judging whether a communication failure is generated or not; and alerting a 
management server connected to the storage subsystem and displaying information alerted, in 
case that it is judged that a communication failure is generated in measuring the traffic of all 
communications packets received in connecting to the communication line, as recited in 
independent claims 1,9, 15, 19, and 20. Nor does it disclose referring to the traffic log, in 
case that it is alerted from a communication failure alerting unit of the storage subsystem that 
a communication failure is generated, and searching a source of the communication packet 
which causes the communication failure, as recited in independent claim 12. The reference 
also fails to teach referring to the traffic log, in case that it was alerted from a communication 
failure alerting unit of the storage subsystem that a communication failure is generated, and 
searching a source of the communication packet which causes the communication failure; and 
controlling, based on information of a source searched in the searching, a relay device which 
relays commimication to the storage subsystem disposed on the communication line for 
receiving a commimication packet so as to cut off commimication from the source, as recited 
in independent claim 13. 
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(f) In view of this petition, the Examiner is respectfully requested to issue 
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